Prepared by Larry Kloppenborg and Hennie Bekker.
With the recent release of the 2015 version of ISO 9001 and the new emphasis areas for business management, the fundamentals of nonconformity management have remained. The management of nonconformities for both products and processes (i.e. cause, correction, corrective action and preventive action) throughout the 1994, 2000 and 2008 versions has been an important tool for continual improvement. But, sadly, in many organisations the nonconformity management processes and procedures are often confused or poorly implemented.
So, whether you are updating your management system to meet the ISO 9001:2015 requirements or remaining with your 2008 version for the next 2 to 3 years, you still need to check that your nonconformity management processes are integrated and properly managed.
Nonconformity management processes
With the introduction of the 2015 version of ISO 9001 the term and concept “preventive action” has been discontinued (and rightfully so) and therefore is no longer considered as a nonconformity management process. Instead, it is considered a risk management process, which the standard addresses through its “risk-based approach” requirements.
One of the greatest failings with the implementation of corrective actions can be attributed to the poor understanding of the actual cause of the initial deviation. In the many years of conducting company audits (internal and 2nd party) and evaluating compliance and effectiveness, the singular most obvious failing in managing nonconformities was found to be the lack of a proper/clear understanding of the reason/factor(s) causing the initiating deviation. Notwithstanding this, in many cases, those affected simply embark on a course of action which can be best described as “what is the easiest or simplest thing to do, to get the matter fixed”. Typically, the actions include ‘scrap the item’, ‘lecture the worker on the trouble caused’, or ‘do not do this step next time’.
Contributing to this failing is the use of a nonconformity/corrective action template, which is cluttered with peripheral info and data tick boxes, which in many cases is never considered in any form of analysis. Why, you may ask? It is because the form or template is often copied from another company and pushed into the management system. The template is supposed to guide the quality practitioner at the time of completing the document, to capture all the relevant facts and outcomes decisions. Hence, the template’s focus must be on those important aspects and be simple to understand and use. Yes, mature companies with mature practitioners and mature QMSs will have complex forms applicable to their systems, but these are not necessarily right for your business.
The template must contain at least some data fields recording the reference number, date and time, name of persons involved, and recording the governing norm/standard/requirement and a description of the deviation. The description must be factual and clearly identify the deviation from the applied requirement (governance). Referencing the actual governance (para/clause) can be of great assistance for many reasons, as it confirms that such a requirement exists, which governance norm is affected and should be checked for correctness, etc.
A unique identifier (number) is assigned to the nonconformity once it is recorded. Then it should be allocated to the person most responsible for the affected process or product. The product/process owner must initiate the degree of investigation commensurate with the deviation and associated/potential risk and its impact. All too often the degree (level and extent) of investigation is limited and rushed, resulting in not fully understanding the cause(s) and only identifying enough action “to get rid of the issue” under the pretence of closing-out (and hoping the issue will not recur). Well – in almost all such cases the issue recurs!
The investigation (root-cause analysis) should follow a logical route for which a variety of techniques is available, for example, event and cause, five Whys, barrier analysis, risk tree, etc. Basically, the logic is to understand the cause(s) of the nonconformity and to identify interventions that will address the gap between the governance and the initiating event that caused the deviation.
Often observed is the complete lack of connection between the cause(s) of the nonconformity and the implemented corrections and corrective actions. This should alert the need for a review of the applicable governance, e.g. Is the governance clear? Is this part of the product/process covered? Is the governance actually applied? (i.e. known by the process owner and users).
In the case of product nonconformity, the product needs to be separated from other products pending resolution of how the non-conforming product is to be dealt with e.g., use-as-is, repair, reject, re-work. Apply for and obtain approval of a concession request from the customer. Although the focus of managing a nonconforming product is about getting the product corrected and/or delivered to the customer, one must address the associated processes which allowed the nonconformity to occur and institute corrective action to eliminate the root-cause thereof, to prevent its recurrence.
The correction and corrective actions must consider the process factors, for example the “4Ms” namely Man, Machine, Material and Methods. These factors consider inter alia the fabrication process, operator interfaces, standards and rules, and safe operations. At this juncture a logical balance is to be considered between the clear understanding of the cause of the nonconformity and the determined corrective actions required. Of course the corrective actions must also be considered against risk, cost and effectiveness.
Sadly, in many instances the effectiveness of the implemented corrective actions is never followed up. Sometimes this type of verification is only done long after implementation (note: the verification period is a function of the frequency of operation). This potentially results in the recurrence of the same or similar deviation with applied “work-around” to get the product out. The follow-up/verification of corrective actions should be done as soon as possible to evaluate their effect and whether additional or revised interventions may be required. The verification periods may vary from minutes to days to weeks, depending on the complexity of the product and processes. The final resolution of nonconformities may require iterative interventions before the risk of their recurrence is resolved or reduced to levels deemed acceptable in terms of the organisational risk appetite and profile.
Your internal audit process is part of monitoring and measurement (i.e. clause 8.2 of ISO 9001:2008) and should be cross-referenced to establish and provide assurance of the effectiveness of the instituted corrective actions.